Latest Free Tool: ConfigMgr PXE Boot Log

ConfigMgr PXE Boot Log displays PXE boot events in an easy-to-view format and provides a history of PXE boot attempts on a distribution point during a selected time period. The tool can also display any records that exist in ConfigMgr associated with a device based on its SMBIOS GUID.

Installing and Configuring WSUS with Powershell

In setting up our SCCM 2012 infrastructure, I decided to patch our OS deployments using WSUS instead of SCCM Software Updates. Since we have multiple distribution points in different geographical areas, I decided to install a WSUS server in each location where we do deployments. Granted, installing and configuring WSUS is not the most technically challenging thing in the world, but when you have to do it multiple times, it begs for automation! So I fired up my trusty Powershell ISE to see what could be done.

I wrote this script for my own environment, but it should be flexible enough to be used by anyone. It’s tested for use on Windows Server 2012 R2 and It’s designed to run in Powershell ISE, so it doesn’t take any parameters, just set the variables as required. Also you can change any of the WSUS configuration, such as Products and Classifications, just edit the relevant section of the script.

What does the script do?

First, we install .Net Framework 3.5 if it isn’t already installed, this is a requirement for WSUS. Next, we download and install Microsoft Report Viewer 2008 SP1, which is required for viewing WSUS reports. If you chose the ‘SQLExpress’ installation, we download SQL Server 2012 Express SP1 with tools and run an unattended installation using default parameters. Then we install WSUS and run the post-installation tasks with wsusutil.exe.

Now, we do a basic configuration, which is equivalent to running the WSUS Configuration Wizard. We set the location to sync updates from, the update language/s, run a metadata sync to get available Products and Classifications, set which Products and Classifications we want to sync, and enable the automatic sync schedule. Then we do a full sync.

Once the sync is completed, we decline certain updates that we don’t want, such as all ‘itanium’ updates, configure and enable the Default Automatic Approval Rule, then run it so the updates will start downloading.

Most of these activities are optional and are activated using variables which you must set before you run the script, so if you want to use WID, or an existing SQL instance you can. You can skip the configuration entirely and do it manually, or just do the bare minimum, and of course you can customise the configuration in the script.

Step by Step Walkthrough

First, we set the variables, such as the WSUS installation type, the location for Updates, things to configure etc.

###############
## Variables ##
###############
##//INSTALLATION//##
# Do you want to install .NET FRAMEWORK 3.5? If true, provide a location for the Windows OS media in the next variable
$DotNet = $True
# Location of Windows sxs for .Net Framework 3.5 installation
$WindowsSXS = "D:\sources\sxs"
# Do you want to download and install MS Report Viewer 2008 SP1 (required for WSUS Reports)?
$RepViewer = $True
# WSUS Installation Type. Enter "WID" (for WIndows Internal Database), "SQLExpress" (to download and install a local SQLExpress), or "SQLRemote" (for an existing SQL Instance).
$WSUSType = "SQLRemote"
# If using an existing SQL server, provide the Instance name below
$SQLInstance = "MyServer\MyInstance"
# Location to store WSUS Updates (will be created if doesn't exist)
$WSUSDir = "C:\WSUS_Updates"
# Temporary location for installation files (will be created if doesn't exist)
$TempDir = "C:\temp"
##//CONFIGURATION//##
# Do you want to configure WSUS (equivalent of WSUS Configuration Wizard, plus some additional options)? If $false, no further variables apply.
# You can customise the configurations, such as Products and Classifications etc, in the "Begin Initial Configuration of WSUS" section of the script.
$ConfigureWSUS = $True
# Do you want to decline some unwanted updates?
$DeclineUpdates = $True
# Do you want to configure and enable the Default Approval Rule?
$DefaultApproval = $True
# Do you want to run the Default Approval Rule after configuring?
$RunDefaultRule = $False

I prefer to use WSUS with a local SQL Express installation so I have some access to the database if I need to. If chosen, we download and install SQL Server Express 2012 SP1 with admin tools using an unattended installation. We use the ‘ALLFEATURES_WITHDEFAULTS’ role, and add the local administrators group to the SQL sysadmin accounts.

We tell WSUS which Products we want to sync. It’s very important to get these right, otherwise you will download a lot of updates that you don’t need and fill up your disk space! Obviously you’ll want to customise these for your environment.

I guess it’s a bug, but it seems WSUS sometimes enables the entire parent Product when adding them by script this way, so we pause the script and prompt to check in the WSUS console that the correct Products are selected before continuing.

After the sync is complete, we decline some updates that we don’t want. In my example, we are declining IE10 and the Microsoft Browser Choice EU updates, which we don’t want (I used the KB article number in the ‘TextIncludes’ parameter to find them), then we decline all ‘itanium’ updates because we don’t have any itanium servers. Do you?

Finally we run the rule which will approve the updates and begin the file downloads. However, in my testing this always errors with a timeout when activated through Powershell, so I put it in a try-catch-finally block to finish the script successfully. Even if it errors, the rule is actually run as you will be able to see from the WSUS console.

Monitoring the Update File Downloads

After the Default Approval Rule has been run, you can monitor the ‘Download Status’ of the update files in the WSUS console. But since it can take a long time, I wrote a little script that will monitor the downloads and email me once they have finished. It must be run as administrator on the WSUS server.

Email Notifications

Finally, if you configure E-mail Notifications in WSUS, you may hit the lovely 5.7.1 error from Exchange:

Mailbox unavailable. The server response was: 5.7.1 Client does not have permissions to send as this sender

This is because it tries to authenticate with its computer account. So you have to create a new Receive Connector in Exchange to allow relaying from anonymous users with TLS-authentication to work around the problem.

Incidentally, you can’t really configure E-mail Notifications with Powershell as you must set the recipient email address for it to work, and this is a read-only property that Powershell can’t change, so better to do it manually.

That’s it! Feel free to suggest some improvements, or take the code and make something better yourself!

Most of the WSUS code I learned from these great resources, especially the work of Boe Prox

Thanks Alex. That’s a good alternative to using Get-Wsus Product | Set-Wsus Product, however it only works with the current subscription, so if you’ve already set the subscription you can only filter on Update Categories that have already been set. The Get-Wsus Product | Set-Wsus Product method works independently of the current subscription.

At any rate, this is my project, after a few week of stagnation, I hope to have it finished and unit tested in a few days: https://github.com/vinyar/wsus (It’s a Chef Cookbook for standing up WSUS and connecting clients to it)